Just How Vulnerable is Your SaaS Supply Chain to Compromise?

By John Filitz, Group Product Marketing Manager, AppOmni

SaaS supply chain compromise represents one of the most insidious cybersecurity threats facing enterprises. Simply stated, no enterprise organizations can guarantee the safety of their software supply chain from the threat of an attack.

What they can do, however, is improve visibility and control – a key step to improving the cybersecurity resiliency of the SaaS supply chain. The starting point is a realization that SaaS represents a significant and multifaceted threat vector that must be prioritized.

Read on to see why SaaS supply chain risk is a growing threat vector and how a SaaS Security Posture Management (SSPM) solution empowers you to address this risk proactively.

Misconfigurations and Social Engineering

The amalgamation of hundreds of SaaS apps in an organization have come to effectively represent a de facto enterprise operating system. This reality also means that the ever-expanding nature of SaaS apps, with more onboarded every month, increases attack surface risk.

Beyond this attack surface risk increase, SaaS is particularly susceptible to being compromised as it’s extremely vulnerable to simple human error. For example, without SaaS security posture monitoring, an employee or contractor can, through a few clicks, expose sensitive authentication tokens or over-provision user accounts that can significantly increase the impact of a breach.

Additionally, negligent security practices such as weak authentication protocols are a major contributing factor to SaaS security risk. Unfortunately, weak authentication protocols still exist for many organizations, even for those that have suffered a breach. Examples of weak authentication include a lack of uniformity in implementing Multi-Factor Authentication (MFA) as the default across all SaaS apps. Poor password management and enforcement policies, or no protocols at all, are also culprits.

Then there are the threat actors actively exploiting security vulnerabilities, including the targeting of end-users. Social engineering attacks remain a mainstay for establishing initial access. This is due to the low barriers of entry and the high probability of finding a security misconfiguration, such as an over-privileged account or weak authentication protocol. These attacks can result in high payoffs for threat actors, often going unnoticed for prolonged periods of time.

Third Party and Open Source Risk

Turning the lens onto the actual SaaS solution providers, they too represent an extremely attractive, high-yield target to threat actors. This is due to their wide reach into nearly every enterprise, given how universal SaaS adoption has become.

Although SaaS adoption continues to increase, the reality is many SaaS apps become dormant after six months, yet their third party plugins to other SaaS apps and OAuth tokens remain active, effectively presenting attackers with an entry point to SaaS platforms. According to Harold Byun, chief product officer at AppOmni, “the security risks of SaaS-to-SaaS connections often remain invisible to common security solutions such as Cloud Access Security Brokers (CASBs) or Secure Web Gateways (SWGs) because the access model effectively occurs cloud-to-cloud with no intermediary method that is able to detect SaaS-to-SaaS activity.”

Just in the past year, at least nine high-profile, third party-related SaaS breaches affected customers of the world’s largest open source developer platform, GitHub, which is used by nearly every enterprise developer team.

The range of industries affected included nearly every sector ranging from IT, manufacturing of automotives, to big pharma. Consider these notable attacks:

  • In January 2023, CircleCI, a DevOps platform used by thousands of organizations, disclosed that its GitHub repositories had been compromised via an employee-targeted phishing attack.
  • Microsoft fell victim to a phishing attack in the early part of 2022 that resulted in an employee’s account being compromised and the threat actors gaining access to its GitHub source code repositories.
  • TravisCI and Heroku, both developer solutions, were victims of a breach in 2022 that saw a significant amount of data, including OAuth tokens, compromised from what GitHub is attributing to an “upstream” supply chain attack.

In many of these instances, the customers were unaware of the fact that their sensitive code repositories were being actively compromised. It was only as a result of GitHub notifying them that they learned of the breaches.

Flying Blind as Vendors Are Breached

The duration and impact of a breach is hard to determine without continuous SaaS security monitoring. Lacking security misconfiguration insights and resultant sensitive data exposure may mean beaches go undetected for months or even years as we saw infamously with Yahoo and, more recently, Toyota.

In the recent case of Toyota, it was revealed that customer data was being exposed for the past five years due to a website subcontractor “mistakenly uploading part of its source code” to a publicly facing GitHub repository. This source code included credentials for one of its servers.

Clearly, the risks of having an unmonitored SaaS security posture are profound both from a data breach exposure and liability vantage point. It is ultimately the customer’s responsibility to ensure the security for their SaaS environments. Had GitHub not noticed the nefarious activity and informed the respective customers of their compromised accounts, who knows when or if at all the compromises would have been discovered.

As a result of its numerous breaches, GitHub is finally enforcing two-factor authentication to all contributor accounts, effective March 2023.

How to Keep Your SaaS Secure

According to Joseph Thacker, sr. offensive security engineer at AppOmni, common SaaS security risks manifest “due to companies either not logging, or failing to inspect their SaaS event logs. Only by having a security solution like AppOmni that continuously detects and alerts security teams on suspicious SaaS log activity, will you be able to detect and prevent threat actors from compromising your environment.”

On the importance of SaaS posture management, Thacker shares, “It’s vital to ensure users and service accounts are not over-provisioned, so that in the event of a breach this significantly reduces the blast radius. It’s also crucial to stay on top of what repos are private and who has access to them, which will similarly reduce the risk of a token or credential leak.”

Finally, Thacker calls for the appropriate level of concern with the slew of recent GitHub breaches we have witnessed over the past 12 months, stating, “The leaks really do have massive consequences. CI/CD tokens often grant access to the build process, meaning an attacker can access and modify the code to victim’s products, which you can imagine would have a massive negative impact.”

Protecting Your Organization’s SaaS Supply Chain

Having visibility and control over the SaaS estate is no longer optional. Every dutiful organization is concerned with the integrity of their information systems and data, as well as protecting their customers and end users.

This is why it is absolutely vital to actively and continuously monitor the SaaS security and threat posture of their organizations’ SaaS applications. This imperative for monitoring extends to third party and open source applications as well.

Understanding and addressing this risk proactively is the very reason why AppOmni was founded. We provide extensive and ever-growing coverage for SaaS applications along with continuous monitoring and threat detection capabilities that proactively detect and prevent SaaS security risks and threats from becoming security incidents.

See why some of the leading enterprises in the world have chosen AppOmni as their SaaS security solution of choice. Schedule a demo today.

Related Resources